5 Understanding the Oracle Directory Synchronization Service
6 Configuring Directory Synchronization
6.5 Extending Mappings Using Custom Plug-ins
You can extend mapping functionality using custom plug-ins. The
oracle.ldap.odip.util.mapapi.IMapOperation Java interface is defined to support plug-ins for new mapping operations. This topic explains Oracle Directory Integration Platform support for custom plug-ins to extend mapping functionality and contains the following sections:
■ Writing Custom Plug-Ins
■ Mapping Plug-In Evaluation Constraints
■ Adding Mapping Plug-Ins
■ Applications of Mapping Plug-Ins
■ Example Plug-In Usage
6.5.1 Writing Custom Plug-Ins
To extend mapping functionality using custom plug-ins you must implement the oracle.ldap.odip.util.mapapi.IMapOperation interface, which requires implementing the evaluate method as follows:
Vector evaluate(Vector operands);
The operands argument is a vector. Elements of the operands vector can be one of the following, based on the plug-in invocation given in the mapping rule:
See Also:
■ "Location and Naming of Files" on page 6-19 for the names of the mapping rule files
■ Note 261342.1 Understanding DIP Mapping Files in My Oracle Support (formerly MetaLink) at:
http://metalink.oracle.com/
Extending Mappings Using Custom Plug-ins
■ Vector of values (attributes passed as argument for the plug-in)
■ String (String literal is passed as argument for the plug-in)
■ Character (Character literal)
Return type is a Vector. All elements of this Vector must be Strings or byte arrays. If you want to return a single string, a new vector of size 1 must be created and the string has to be added to it. This restriction is enforced to allow multi-valued attributes.
For example:
cn,sn: : :person:description: :person:PLUGIN#MyPlugin(cn, sn, “Mr”)
The plug-in class MyPlugin should implement Vector evaluate(Vector operands) method. As per the plug-in invocation in the above mapping rule, the following are the elements of operands:
■ element1 is a Vector containing all values of cn (Even if cn has only a single value)
■ element2 is a Vector containing all values of sn (Even if sn has only a single value)
■ element3 is a String literal "Mr"
6.5.2 Mapping Plug-In Evaluation Constraints
■ If an attribute has multiple values, the corresponding plug-in will be called only once with all the attribute values stored in a Vector. The plug-in will not be called once per each attribute value.
■ Empty String literals (" ") or Character literals (’ ’) will be ignored.
■ You must identify the type of each element in the vector operands of the evaluate() method and process accordingly, as per the plug-in invocation.
■ A combination of plug-ins and the existing mapping rule operators or functions is not supported. For example, the following combination is not supported as mapping rule:
Plugin#MyPlugin(cn, sn) + givenanme toupper(Plugin#(MyPlugin(cn,sn))
Plugin#TempPlugin1(cn) + Plugin#TempPlugin2(sn)
■ Oracle recommends that Mapping plug-in invocation in different attribute rules follow the same invocation signature. The following example is not recommended and is highly error prone because Myplugin has different invocation signatures:
sn: : :person:givenname: :person:PLUGIN#Myplugin(sn,"Mr") cn: : :person:description: :person:PLUGIN#Myplugin(cn)
6.5.3 Adding Mapping Plug-Ins
To add a mapping plug-in to Oracle Directory Integration Platform:
1. If it is running, stop the WebLogic Managed Server hosting Oracle Directory Integration Platform.
2. Copy the mapping plug-in JAR file to the /APP-INF/lib/ directory in the path where the Oracle Directory Integration Platform application was exploded. For example:
MW_HOME/user_projects/domains/DOMAIN_NAME/servers/MANAGED_SERVER_NAME/tmp/
_WL_user/DIP_VERSION_NUMBER/RANDOM_CHARACTERS/APP-INF/lib/
Extending Mappings Using Custom Plug-ins
3. Start the WebLogic Managed Server hosting Oracle Directory Integration Platform.
6.5.4 Applications of Mapping Plug-Ins
This section describes various applications of Mapping plug-ins, including:
■ Support for New Mapping Operations
■ Support for Multiple Literal Values
6.5.4.1 Support for New Mapping Operations
Applications can implement their own mapping operations that are not supported internally by the mapping framework.
Support for Conditional Mapping Conditional Attribute Mapping Support
You can support attribute mapping based on a condition. For example, the application can support a mapping rule where if the credential attribute is present, then orclpassword must be set to ENABLED, and if not present, the orclpassword must be set to DISABLED. This logic can be supported by implementing a plug-in to assign this value. The mapping rule should be as follows:
credential: : :UserType:orclisenabled::orcluserv2:ConditionalAttrBasedOnPresence(credential)
Conditional DN Mapping Support
You can support DN container mapping based on a condition. For example, users must be mapped to container ou=sales,dc=acme,dc=com if department is Sales and mapped to container ou=IT,dc=acme,dc=com if department is IT. To support this mapping:
■ The DomainRules section can have a construction rule like:
NONLDAP:dc=acme,dc=com:cn=%,ou=%,dc=acme,dc=com
■ The AttributeRules section can have a rule with a plug-in operation to map ou as follows:
department: : :UserType:ou: :orcluserv2:ConditionalOUMapping(department)
6.5.4.2 Support for Multiple Literal Values
The current mapping framework only supports specifying a single literal value for an attribute. However, there might be a need to specify more than one literal value when an attribute can have multiple default values. For example, in case of Microsoft Exchange, there is a showInAddressBook attribute which can have more than one value. This can also be implemented using plug-ins.
6.5.5 Example Plug-In Usage
This section provides examples of plug-in usage.
Example 1: Attribute Mapping Rule
cn: : :person:initials: :person:PLUGIN#PluginSamp1(cn)
Extending Mappings Using Custom Plug-ins
Example 1: Corresponding Plug-In Implementation Vector evaluate(Vector operands)
{
Vector all_cnValues = (Vector)operands.get(0);
Vector result = new Vector();
….
….
//All the elements of this result must be strings.
return result;
}
Example 2: Attribute Mapping Rule
cn: : :person:givenname: :person:PLUGIN#Myplugin(cn,"Mr")
Example 2: Corresponding Plug-In Implementation Vector evaluate(Vector operands)
{
Vector all_cnValues = (Vector)operands.get(0);
String strOperand = (String)operands.get(1);
Vector result = new Vector();
for(int i=0; i<all_cnValues.size(); i++) {
String cnValue = (String) all_cnValues.get(i);
String givenNameNewValue = strOperand + cnValue;
result.add(givenNameNewVlaue);
}
//All the elements of this result must be strings.
return result;
}
Example 3: Attribute Mapping Rule
mail: : :inetorgperson:mail: :inetorgperson: Plugin#MyPlugin(mail, ‘@’)
Example 3: Corresponding Plug-In Implementation Vector evaluate(Vector operands)
{
Vector all_mailValues = (Vector) operands.get(0);
Character charOperand = (Character) operands.get(1);
char charOperandValue = charOperand.charValue();
Vector result = new Vector();
….
….
….
return result;
}
Example 4: Attribute Mapping Rule
cn,sn,mail: : :inetorgperson:description: :inetorgperson Plugin# MyPlugin(cn, sn, mail)
Configuring Matching Filters
Example 4: Corresponding Plug-In Implementation Vector evaluate(Vector operands)
By default, a connector retrieves changes to all objects in the container configured for synchronization. However, you may want to synchronize only certain types of changes, such as changes to just users and groups. While mapping rules allow you to specify how entries are converted from one directory to another, you can also filter objects that are synchronized among directories. Before changes from a connected directory are imported into Oracle Internet Directory, they can be filtered with the Connected Directory Matching Filter (orclODIPConDirMatchingFilter) attribute in the synchronization profile. Similarly, before changes are exported from Oracle Internet Directory to a connected directory, they can be filtered with the OID Matching Filter (orclODIPOIDMatchingFilter) attribute. For both attributes, you can specify a filter for connected directories that either obtain incremental changes through an LDAP search or that store changes in a change log, as described in the following sections:
■ Filtering Changes with an LDAP Search
■ Filtering Changes from a Change Log
6.6.1 Filtering Changes with an LDAP Search
For connected directories that do not support change logs, the latest footprint of the entries are obtained by performing an LDAP search. Because an LDAP search that is performed with objectclass=* will return all entries in a given tree or subtree, to retrieve only the objects of interest for synchronization, you must provide a filter using LDAP filter syntax. For example, you can assign a search filter to the
orclOdipConDirMatchingFilter attribute. You specify the filter as searchfilter=LDAP_SEARCH_FILTER.
The following example creates an LDAP search filter that retrieves organizational units, groups, and users, but not computers:
searchfilter=(|(objectclass=group)(objectclass=organizationalUnit) (&(objectclass=user)(!(objectclass=computer))))
6.6.2 Filtering Changes from a Change Log
For connected directories that store changes in a change log, you can use the following simple operators, which are provided by Oracle Directory Integration Platform, to specify a matching filter for either the Connected Directory Matching Filter